Happy Birthday to OpenSolaris! It's now two years old. See this great blog entry by Jim Grisanzio on how far the project and community have come.
Friday Jun 15, 2007
Friday Jan 12, 2007
Sun has a number of great upcoming events surrounding the open source development model and benefits that customers, system integrators and end users can derive from open source products.
Sun is the leading commercial provider of open source technology in the world today. Unlike many of our competitors (Microsoft, HP, IBM and Apple come to mind) Sun has completely open sourced a wide variety of our most strategic technologies including:
- The world leading Solaris 10 OS including the recently released Trusted Extensions
- Our low cost StarOffice suite of desktop tools which uses the OpenDocument file format.
- Java (under the GPL license) and many components of the Java Enterprise System
- NetBeans, one of the major software integrated development environments.
- Our innovative and power saving UltraSPARC T1 microprocessor
- Sun GridEngine, a powerful high performance computing Grid mangement tool
- And many more that can be found at sunsource.net
As a Sun Federal employee who works closely with the US DoD, I can tell you that the DoD believes strongly in an open source development model. In a paper written by the Office of the Secretary of Defense, they list three of their primary goals to be:
- Leverage open source infrastructure and technologies
- Apply open source collaborative technologies
- Change the default acquisitions and development behavior to default to technology services vs. products
They also make note of OpenSolaris and quote Scott McNealy as saying:
You learn to share in preschool. Later you learn that if you make the pie
bigger, everyone gets a little more. These lessons came together
when we started Sun. We didn't have the resources to do
everything ourselves, so we shared what we had to attract
customers and get their help in building the business. There are
now 4.5 million Java developers and about 950 companies
worldwide all collaborating on a technology Sun shared with the
community.This is possible because sharing creates communities, which create
new markets. It's also changing business models: Companies can
no longer expect to lock in customers with proprietary standards.
They must now compete on the value of their business execution.
They monetize that value a little bit, spread over the entire
community. With 1 billion people on the network today, and several
million more joining every week, there's a lot of opportunity. So
while it may seem counterintuitive for a company to share, it's the
key to larger economic growth ― not only for Sun, but also for
everyone in the world.”
As an example, the US Joint Forces Command (JFCOM) has started a project based upon OpenOffice (the baseline for Sun's StarOffice product). Using OpenOffice as a base, they are building a "Security Enhanced Office Automation suite." Apparently they are unwilling or unable to do this using Microsoft's "Shared Source" agreement.
Some of JFCOM's stated benefits from using open source include:
- Increased Flexibility– If you don’t like what the vendor or community is doing with the product you can change it
- Increased Security
- Ability to inspect and change (if necessary) the source
- Ability to verify that the executing version is the one actually derived from the source code.
- Potentially reduced procurement and maintenance costs
- Increased ability to reuse code
- Increased ability to share technology with Coalition partners
- Cost Sharing - Leverage the large open source community to help develop, test and improve your applications
My customer, Defense Information Systems Agency (DISA), is moving toward adopting Solaris 10 in their mission critical Command and Control applications as well as their data processing centers. The fact that it is based upon the OpenSolaris project is viewed as postive by them.
If you would like to learn more about Sun's efforts in the open source communities, please visit OpenYourMindToday.com and sign up for the next two events:
- Seminar: "Open Your Mind to Open Source"
Keynote: Scott McNealy, Chairman, Sun Microsystems, Inc
Date: January 23, 2007, Tysons Corner, Virginia - Online Web Seminar: "Open Your Mind to Open Source"
Date: January 30, 2007
Why should you care?
Using open source technologies can provide faster time to market, lower cost and reduced risk of vendor lock-in. Sun's product portfolio is based largely on open sourced technologies.
Friday Jan 05, 2007
Sun Microsystems, Inc. the creator of Java technology and Solaris, today highlighted three industry leading products -- Sun Fire X4200, Sun Fire X4600 and NetBeans Integrated Development Environment 5.5 -- as recipients of Technology of the Year Awards by InfoWorld. Garnering top honors from the InfoWorld Test Center, Sun is honored with prestigious titles: Best Server, Best High-Performance Server and Java IDE Innovator.
The X4200 and X4600 support the operations of the open source Solaris 10 OS as well as Microsoft Windows 2003 server, Red Hat and Suse. Netbeans runs on a variety of platforms including Solaris, Windows, Linux and MacOS.
Click the link above for the entire article.
Wednesday Dec 20, 2006
As a longtime Mac user (and someone who is 100% Microsoft free at home and work) it's important to me to be able to have a common user interface as I move from home to work. When Sun first introduced Gnome in Solaris this caused a problem because the look and feel was too much like windows for my taste and after years of MacOS and CDE usage it was really annoying to close a window in the upper right corner instead of upper left where God and Steve Jobs intended the close box to be.
I use this setup on my Solaris 10 based Sun Ray ultra-thin client at the office as well as my Acer Ferrari 3400 laptop.
Thanks to some Gnome theme hackers, I can now have a MacOS look and
feel with window widgets where they belong. Get the theme and
icons at: http://www.gnome-look.org/content/show.php?content=13548
Don't forget the most important step:
- start gconf by typing: gconf-editor and hitting enter.
- This program is a bit like the registry editor for windows.
- In the tree on the left you need to go to /apps/metacity/general/
- There is then a key in the right pane called "button_layout"
- edit this key so that it reads:
-
close,minimize,maximize
Why should you care?
If you are a MacOS and Solaris user, this will maximize your productivity by providing a more familiar user interaction. I also enjoy the confused looks I get when I open up my hot, red Ferrari laptop, boot Solaris and login to a Mac like desktop.
Monday Dec 18, 2006
I have it on good authority (from Sun Federal COO Bill Vass) that Solaris 10 03/05 has completed its Common Criteria evaluation. It will take us a while to issue a formal press release, but the evaluation is complete. This evaluation was at EAL 4+ using the Controlled Access Protection Profile (CAPP) and the Role Based Access Control PP. The process has taken over a year and cost a significant bundle of cash. Solaris 10 with Solaris Trusted Extensions (found in the 11/06 update) is current under evaluation with the addition of the Labeled Security PP and should complete next year.
Congratulations and thanks to Sun's evaluation team including Jane Medefesser, Vanessa Kong, and Linda Gallops.
A little history.....
A long, long time ago (back in the 1980s) the NSA created a program known as the Trusted Computer System Evaluation Criteria (TCSEC). As an employee of Gould Computer Systems (RIP!) at that time, I know that Gould's UTX-32 OS was the first commercial Unix to receive a TCSEC C2 evaluation by the NSA. Gould sold about 5 copies of that OS after spending millions of dollars to complete the process. The UK had an equivalent program known as ITSEC. The TCSEC labeled OSes using a letter/number scheme still referred to by some today:
- C2 is roughly equivalent to today's CAPP
- B1 is roughly equivalent to today's LSPP
There were two major problems with the NSA system.
- The process took so long and cost so much that an evaluated product was no longer competitive and didn't run on the latest hardware.
- An evaluation completed by the NSA meant nothing to the UK, Germany, or other countries who had their own evaluation schemes.
As a result, the Common Criteria process was established and a number of countries agreed to abide by it.
What is a CC Evaluation?
The
Common Criteria is an international set of standards for evaluating
software products against a set of requirements. There are
two parts to a CC designation; Evaluation Assurance Level and
Protection Profile (more info)
Evaluation Assurance Level
The EAL designates the level of rigor that was applied to an evaluation. Levels range from 1-7 and are defined as:
- EAL1 - functionally tested
- EAL2 - structurally tested
- EAL3 - methodically tested and checked
- EAL4 - methodically designed, tested and reviewed
- EAL5 - semiformally designed and tested
- EAL6 - semiformally verified design and tested
- EAL7 - formally verified design and tested
At this time, EAL4 is the highest level that can be transferred from one country to another.
Protection Profile
A protection profile defines the technical functions required to be evaluated. For example, the Controlled Accesss Protection Profile includes requirements for (among others):
- User authentication (you have to login)
- Access control (Unix-style permissions)
- Auditing (know what has happend on the system)
- Prevention of object re-use (clear memory and disk before giving it to another user)
There are a variety of protection profiles for product classes including OS, Database, Firewall, Encryption etc. It is also possible to get a CC Evaluation without a protection profile although the usefulness of such a thing is debatable.
Other protection profiles that apply to Solaris include:
Who cares about Common Criteria.
The US Federal Goverment and Department of Defense have a variety of policies (FISMA and DoD Directive 8500.2) dictating that CC evaluated products should be use where they exist and are preferred over non-evaluated products. As a result, nearly all purchases by the US government require that an OS be evaluated or at least in the evaluation process. Sun has a long history of evaluated Solaris OS versions over the last 10 years.
As an engineer at Sun with many years of DoD customer experience, I'm frequently asked a number of questions about the interpretation of the CC requirements in the DoD (see the questions in the comments section):
Can I use a Solaris update that's different than the certified version?
Strickly speaking, any change that you make to the certified baseline (platform, version, patches) means you are running an "uncertified configuration." This doesn't make you less secure. Strict conformance to this policy would seriously prevent you from running the latest Solaris version or taking advantage of the latest hardware.
What is the US DoD policy on using later Solaris updates?
While I can't speak for the government, I can relate my direct conversations with officials at the Defense Information Systems Agency (DISA) who create and enforce these policies. I have been told that a CC evaluation is a "Checkbox" activity that is NOT the most important item in a security accreditation. The fact that a more recent update of Solaris has not been certified directly should not prevent you from using it. However, if the update has a new security feature that has not been evaluated and you are planning to use that feature, it may be more difficult to get your system accredited. DoD customers should work directly with DISA in this area. There is a help desk available at the DISA Field Security Office
What about commercial customers?
Each customer has their own policy. Some simply require that a product be "in evaluation." Others require that some version of the product has been certified. Work with your customer's security office to determine their policy.
What does DoD Directive 8500.2 say about CC?
Feel free to read it, however, to paraphrase section E3.2.5: If there is a certified product, you must use it. If there is no product that's certified, it should be "in evaluation." If there is no product in evaluation, a commitment from the vendor to evaluate should be made before you buy. If there is no defined protection profile for a product class (eg. VMware), the vendor should create a security target and have it evaluated.
If the process was not designed to actually detect software bugs or vulnerabilities in an OS, then what does it check?
This question emphasizes the current disappointment that DoD officials have with the process. They are paying extra money for evaluated products but not necessarily getting better products because of the evaluation process. The process is designed to ensure that a product behaves as documented but it is NOT a source code scrub for buffer overflows, coding errors or other issues (The fact that MS Windows products are evaluated at EAL4 should make this point painfully obvious!).
Does every product need to be CC evaluated?
The DoD directive refers only to "IA products, and IA-enabled IT products." They define IA-enabled product as "Product or technology whose primary role is not security, but which provides security services as an associated feature of its intended operating capabilities. Examples include such products as security-enabled web browsers, screening routers, trusted operating systems, and security-enabled messaging systems." By this definition a product like StarOffice is NOT IA-enabled, however, a web portal or identity management systems is IA-enabled in my opinion. Some would say, "If it asks for a username and password, it's IA-enabled."
What is NIAP and who does the evaluations?
NIAP is the National Information Assurance Partnership between NIST and NSA. They control the CC program in the U.S. An evaluation is done by an independent commercial laboratory known as a commercial licensed evaluation facility or CLEF. Sun's evaluation was done by a Canadian CLEF.
What's wrong with the current Common Criteria process?
Although the current process is somewhat better than the old NSA process, it still leaves something to be desired. I have heard it stated in public forums by DoD employees that the CC process does not meet all Government's goals. Current problems include:
- It still take a long time (about 1 1/2 years) resulting in delays in purchasing state of the art products.
- The process is not designed to actually detect software bugs or vulnerabilities in an OS
- The rules for adoption of the OS are interpreted in a wide variety of ways across organizations.
- It is not flexible in handling OS updates and patches
What is the difference between a CC evaluation and a site accreditation?
Products
are CC evaluated, sites and solutions are accredited. For
example, a particular site may take a number of CC evaluated products,
install them on computers, connect to different classifications of
network and put the whole solution in a particular building. An
accreditation ensures that all these steps were followed with security
in mind and that the products, policies, people and procedures meet the
security requirements of the mission. An accounting system
has different requirements than a warfighting or intelligence gathering
system and the accreditations will vary for each even if they use the
same products.
Why should you care?
CC evaluations provide an assurance that a product has been documented properly and behaves in accordance with its documentation. It is an external, third party audit of a product that provides a higher level of assurance on the capabilities of the delivered product. Sun takes our responsibility for security very seriously and our goal is to ensure that Solaris is the preferred platform for Federal mission critical systems.
Sun has a long history of evaluated versions of Solaris including 2.5.1, 2.6, 8, 9, 10 and various Trusted Solaris versions.
CC evaluated products are preferred by most US Federal and DoD procurements.
Wednesday Nov 01, 2006
Today I'd like to welcome Sun Federal to the internet!
Sun Microsystems Federal is a wholly owned subsidiary of Sun Microsystems targetting the special requirements of the US government. Because the government is generally every computer vendor's largest customer, an organization with the skills and capabilities of SunFed is required to comply to the various laws and procurement restrictions. For example, our employees are US citizens and we are required to keep customer data in the US. We also have staff with the unique skills and experence to help respond to government RFP and GSA schedule requirements.
Scott McNealy is now the Chairman of the board for SunFed (in addition to being Chairman of SMI). Bill Vass has moved from being Sun's CIO to a role as the COO of SunFed. Anthony Robbins manages Federal Sales.
The majority of SunFed's roughly 500 personnel are located in the Washington D. C. area at offices in McLean, Reston and Ashburn VA as well as Columbia MD; however, we have a nationwide presence. Many have security clearances required to work with Homeland Security, DoD and Intelligence agencies. Sun Federal does about $1 billion in government business each year.
If you are interested in Sun's products and services, call 800-786-0404. Our Government telesales team there can answer your questions, provide a GSA quote or connect you with your local Sun Sales team.
Why should you care?
Sun Federal can provide unique solutions for the US Government that include services, systems, storage and software.
Some of our government unique solutions include:
Sun Microsystems Federal is a wholly owned subsidiary of Sun Microsystems targetting the special requirements of the US government. Because the government is generally every computer vendor's largest customer, an organization with the skills and capabilities of SunFed is required to comply to the various laws and procurement restrictions. For example, our employees are US citizens and we are required to keep customer data in the US. We also have staff with the unique skills and experence to help respond to government RFP and GSA schedule requirements.
Scott McNealy is now the Chairman of the board for SunFed (in addition to being Chairman of SMI). Bill Vass has moved from being Sun's CIO to a role as the COO of SunFed. Anthony Robbins manages Federal Sales.
The majority of SunFed's roughly 500 personnel are located in the Washington D. C. area at offices in McLean, Reston and Ashburn VA as well as Columbia MD; however, we have a nationwide presence. Many have security clearances required to work with Homeland Security, DoD and Intelligence agencies. Sun Federal does about $1 billion in government business each year.
If you are interested in Sun's products and services, call 800-786-0404. Our Government telesales team there can answer your questions, provide a GSA quote or connect you with your local Sun Sales team.
Why should you care?
Sun Federal can provide unique solutions for the US Government that include services, systems, storage and software.
Some of our government unique solutions include:
Tuesday Oct 17, 2006
Sun has been keeping secrets again, even from me! It's always fun to learn new things that Sun is doing by finding press releases at Yahoo.
In this case, it's a general purpose data center in a box. (Well, it's a big box, a standard shipping container, really) Called project Black Box, it's apparently been under development for a few years. The details will be announced at 9 AM EDT.
Why should you care?
If you have a need for fast portable computing power this could be just what you need. It could be a military deployable compute capability our simply augment a retail company during the Christmas season. I would anticipate a good demand for this kind of thing where I work in Sun Federal.
In this case, it's a general purpose data center in a box. (Well, it's a big box, a standard shipping container, really) Called project Black Box, it's apparently been under development for a few years. The details will be announced at 9 AM EDT.
Why should you care?
If you have a need for fast portable computing power this could be just what you need. It could be a military deployable compute capability our simply augment a retail company during the Christmas season. I would anticipate a good demand for this kind of thing where I work in Sun Federal.
Wednesday Oct 11, 2006
On May 23, Joshua Brindle posted a reply to an open letter written by
one my colleagues, Darren Moffat . In that reply entitled Trusted What? there were several statements made about Trusted Extensions that are
apparently misunderstandings. Glenn Faden is the architect of Solaris 10 Trusted Extension and has posted a rebuttal in his blog.
Why you should care....
If you are unclear about the differences between the security model of SE linux and Solaris 10 Trusted Extensions, Glenn's blog will help you to understand the level of effort that we put into our products to make them secure and easy to use.
Why you should care....
If you are unclear about the differences between the security model of SE linux and Solaris 10 Trusted Extensions, Glenn's blog will help you to understand the level of effort that we put into our products to make them secure and easy to use.